10 Years After 9/11, Do We Face a Serious Cyberterrorism Threat?

Since the attacks of Sept. 11, 2001, the possibility of a second devastating attack by al-Qaida or a similar group has been on the minds of many Americans. There has been much discussion as to whether terrorist groups could get access to nuclear, biological or chemical weapons — weapons of mass destruction.

Should we be concerned about another potential threat — a cyberweapon of mass destruction?

Yes, say security experts. The cyberterrorist threat is real, and plots involving such attacks may already be in the works.

According to Damon Petraglia, a director with Chartstone, a computer, network and digital forensic resource company based in Connecticut, and a member of the electronic crimes task force for the U.S. Secret Service, cyberterrorist attacks have been taking place for more than a decade.

“We have seen pro-Pakistani hackers repeatedly attacking computers in India with increasing frequency in the early 2000s,” Petraglia said. “In 2009, there were attacks against South Korean and United States websites presumed to originate from North Korea. In 2010, we saw the most sophisticated attack to date with Stuxnet in Iran.”

Stuxnet, Petraglia explained, was a worm with highly specialized malware coded to target only Siemens-manufactured Supervisory Control and Data Acquisition (SCADA) systems that control and monitor specific industrial processes. This code was created to sabotage the uranium-enrichment process at a specific Iranian nuclear facility by forcing changes in the rotor speeds of centrifuges.

We will continue to see more sophisticated attacks, as well as low-tech traditional attacks, emanating from hostile nations and groups,” Petraglia added. “Traditional terrorist groups and nation-states are able to fund the creation of extremely sophisticated attacks and technologies or tools to be used as weapons.”

What is and what isn't cyberterrorism

The Stuxnet attack on the Iranian nuclear facility was the attack that opened a lot of eyes in America and other Western countries to the potential cyberterrorist threat. But it also opened up a question: What exactly constitutes an act of cyberterrorism?

The definition of cyberterrorism has been highly debated since the 1990s, because it is not easy to define how devastating the damage caused by a single computer attack might be. The term itself has been controversial, sometimes inflated and used in different contexts.

However, the U.S. Federal Bureau of Investigation's definition of cyberterrorism is accepted by many. According to the FBI, cyberterrorism is any "premeditated, politically motivated attack against information, computer systems, computer programs and data which results in violence against non-combatant targets by sub-national groups or clandestine agents."

“This definition is quite narrow because it compares cyberterrorism with traditional terrorism,” Mustaca said. “Unlike viruses or computer attacks that result in a denial of service a cyberterrorist attack is designed to cause physical violence or extreme financial harm.

“Possible cyberterrorist targets include the banking industry, military installations, power plants, air traffic control centers and water systems,” he added. “There are several other definitions which define it much more generally as any computer crime targeting computer networks without necessarily affecting real-world infrastructure, property, or lives.”

“Cyberterrorism is likely not what movies make it out to be,” Manky said. “Think of movies like 'Die Hard 4' where attackers launch a sophisticated, synchronized attack where they disrupt traffic lights, phone lines and TV broadcasts at the same time.

“The truth of the matter,” he added, “is that many of these systems depend on different technology (hardware platforms, software, etc.) and different vulnerabilities need to be discovered to take control [of]/breach such systems.”

Who's likely to become a cyberterrorist?

If defining cyberterrorism is difficult, profiling a potential cyberterrorist is only slightly easier.

“A cyberterrorist would fit a similar profile to a traditional terrorist, either domestic or foreign,” said Kurt Baumgartner, a senior malware researcher at Moscow-based Kaspersky Lab. “They maintain extreme views and justify their actions and intents with radical religious or radical political views.”

One primary difference between a cyberterrorist and a traditional terrorist is that the former would have a sophisticated knowledge of hacking and information-technology vulnerabilities — or would have the funds to employ people skilled in those areas.

They will likely be very creative, not necessarily well-educated formally, but very smart nonetheless,” Petraglia said. “They will think outside the box and employ unorthodox methods to solve problems.”

The experts agree about what the likely targets of a cyberterrorist attack would be.

“A cyberterrorist attack might exploit technical vulnerabilities in a state’s computer-supported infrastructure to disrupt critical networked systems, in order to produce a spectacle of shocking consequences,” Baumgartner said. “Such an attack may disrupt the electrical power grid on a coast, shipping on the Mississippi, rail trains crossing the U.S., pipelines delivering natural gas, the traffic lights in L.A., or it may cause systems to deliver dirty water to cities for an extended time.”

Prevention begins with you

What steps can be taken to prevent a cyberterrorist attack?

First of all, proper authentication, security rollout and network segmentation should be considered when it comes to security for industrial control systems,” Manky said. “Many of these systems are running on technology decades old, thus known security holes continue to exist.

“However, they [the SCADA systems] used to be closed-circuit [with no Internet connection],” he said. “Nowadays, these systems have public access for means of convenience, which, of course, connects them and makes them potential targets for cyberterrorist groups or cyberwarfare.”

For other systems that may be high-profile targets, users of all access levels need to be educated to avoid means of attacks such as spear phishing, which has been devastatingly successful against defense contractors in recent months.

Furthermore, a valid security solution should always be in place for both servers (Web application firewalls, database security systems) as well as endpoints (unified threat management (UTM), etc.), Manky added. Patches should always be applied to these systems to close security holes.

Just as citizens are asked to pitch in and do their part to prevent more traditional acts of terrorism — for example, by submitting to extended security screenings at airports — cyberterrorism prevention is everyone’s responsibility, Mustaca said.

That responsibility begins with people using computers at home, he said.

“They [ordinary people's home PCs] are the 'bots' used in DDOS [attacks], which are an act of cyberterrorism, according to the broad definition of the term,” he said. “So everyone needs to take measures to protect one's computer and information.”